Breaking into a Drupal Site - Everyone learns to be scared, devs learn to fix
This session will focus on using security vulnerabilities to break into a Drupal site.
We'll look at some of the most common vulnerability types and how to exploit them. My feeling is that if people don't know how to break into their site they won't know whether or not they are vulnerable (or whether they've fixed the vulnerabilities).
This session will be similar to previous sessions I've given on this topic including:
- XSS: still the number one security issue in Drupal
- CSRF: still common and hard-ish to fix (see also how to fix csrf in Drupal
- SQL Injection and Access bypass, easy to fix, still common
with the added bonus of
- A focus on how to exploit the vulnerabilities
- Ben Jeavons playing question champion (monitoring irc backchannel and twitter)
So, be sure to bring your laptop with a test Drupal site running so that you can learn some basic tools to exploit vulnerabilities!
Portions of this presentation will be applicable to everyone because you will learn how to spot Cross Site Scripting (XSS), Cross Site Request Forgeries, access bypass, and SQL injection.
Portions of the presentation will be best for developers so you can know how to fix the weaknesses that everyone is finding in your modules and themes.
If you are interested in this session you may also be interested in Drupal Security - Configuration and Process
About Greg's Security experience
For several years now Greg has been working with the security team making the Drupal world more secure. A year ago he published Cracking Drupal. This spring he was a co-author with Ben Jeavons on the Drupal Security Report. And this past year he and Ben launched a service to provide Security Reviews for Drupal sites.